Ethernet Switching
Posts: 8
Registered: ‎12-22-2011

Firewall filtering want to make sure i understand this

I am teaching myself firewall filtering on a couple of ex switches and wanted to verify my understanding of how the filter would procces the 2 terms below that are part of one filter.


term  term-one {

          From {

                     source-mac-address { 00:00:01:e1:de:00:be/48;


                    source-address  {;



            then {





term term-two {

                          then {





if source-address and source-mac-address match in term-one then it will discard the packet and generate a syslog message.  and if it does not match in term-one , then the rest of traffic should match in term-two  and be accept.


Trusted Contributor
Posts: 165
Registered: ‎04-23-2011

Re: Firewall filtering want to make sure i understand this

Yes, it would do as you said, however, why would you want to?  In the real world, the MAC address should be unique, so there would be no need to have both options present.


If you didn't apply the second term, then you would have an implicit deny as well, so putting the second term covers all other traffic, so well done.


I'm not sure if you have seen the fasttrack learning resources, however, in the

JNCIS-ENT Switching Study Guide, chapter 5 details firewall filters on EX switches and where you can apply them.  You can access them here:  They are located under the JNCIS section.

Martin Brown
Juniper Ambassador
Network Security Engineer
CCNA Wireless, CCNP, CCNP Security, CCDA
HE IPv6 Sage, IPv6 Forum Gold Engineer
Recognized Expert
Posts: 191
Registered: ‎12-30-2008

Re: Firewall filtering want to make sure i understand this


Hey there,


 Reading this filter, I would assume there is a constraint between the mac (physical device) and IP address, potentially some redundancy/backup_mode enforcing; hence including both as a from statement.



If you think your question's answered, please
mark the respective post as "Accepted Solution".

Kudos are an excellent way of showing appreciation, too.
Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.